Call-center fraud is becoming a bigger problem for card issuers and financial institutions, increasing 45% globally since 2013, according to a new study from Atlanta-based Pindrop Labs. In 2013, an average of one in every 2,900 calls to a call center was fraudulent. This year, the rate is one fraudulent call for every 2,000 calls. Pindrop analyzed more than 10 million calls to enterprise call centers from 2011 to 2016.
The increase in call-center fraud is being driven by the U.S. migration to EMV cards, which makes it harder to perpetrate fraud at the point-of-sale using counterfeit cards, a rise in data breaches, and tighter security in the mobile and online channels. All of these factors are prompting criminals to find new ways to bilk card issuers.
Criminals commit call-center fraud by posing as a credit or debit card holder and using information stolen in a data breach or gathered through social media to answer questions intended to authenticate the customer. Once a criminal has gained access to a cardholder’s account, he can change the PIN or mine an account for additional information that can be used to steal a consumer’s identity.
The increase in fraudulent call-center contacts has pushed up per-call fraud losses to 65 cents, from 57 cents in 2013. “A call center receiving 40 million calls per year can expect to see between $17 million to $27 million in fraudulent transaction losses annually,” says David Dewey, director of research for Pindrop Labs.
Interactive voice response units are the Achilles heel for call centers, Dewey says, as criminals will use stolen cardholder data, such as account numbers and passwords, to authenticate themselves to the IVR. Criminals use IVRs to avoid detection when attempting to gain access to a consumer’s account information, since the systems are typically not monitored, Dewey says. Criminals will also use IVRs to test stolen cardholder data, such as a PIN, for its authenticity before attempting a fraudulent transaction in the online or mobile channels
“We have seen instances where a criminal contacts the call center and provides the consumer’s account number to authenticate himself, then runs an automated program to crack a consumer’s PIN in a matter of minutes,” says Dewey. “One call center surveyed saw an IVR call last 16 hours. Unfortunately, not many call centers monitor their IVR system for abnormal activity.”
Credit card issuers have some of the highest incidents of fraud, with one call in every 800 being fraudulent. In comparison, banks report one fraudulent call in every 1,400. One scam criminals will perpetrate directly with card issuers is to request a credit line increase to give them more open to buy to commit fraud in a card-not-present environment.
A technology call centers can use to detect fraud is phoneprinting, a technique that measures 147 characteristics of the call to create a fingerprint of it. With phoneprinting, call centers can geolocate the origin of the call, which helps defeat applications that generate a false location of origin to fool caller-identification systems.
“Caller-ID spoofing apps are commonly used by criminals, and it is very easy to spoof a caller-ID system initiating a call using VoIP (voice over IP),” says Dewey. “Being able to accurately assess a fraudulent call helps call centers separate fraud calls from legitimate ones.”